WordPress Plugin Vulnerabilities

FV Flowplayer Video Player < 7.5.19.727 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape the fv_wp_flowplayer_field_splash parameter which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
fv-wordpress-flowplayer
Fixed in 7.5.19.727

References

CVE
CVE-2022-25613

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Ex.Mi
Verified
Yes
WPVDB ID
a35884ec-4f66-4899-89bb-ff57f2c786f2

Timeline

Publicly Published
2022-03-24 (about 4 years ago)
Added
2022-04-04 (about 4 years ago)
Last Updated
2022-04-10 (about 4 years ago)

Other

Published
Title
Published
2020-02-25
Title
Photo Gallery < 1.5.46 - Multiple Cross-Site Scripting (XSS) Issues
Published
2024-10-15
Title
Custom Add to Cart Button Label and Link <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-24
Title
PostX < 4.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-18
Title
Infinite Slider <= 2.0.1 - Reflected Cross-Site Scripting
Published
2025-02-21
Title
Pago por Redsys < 1.0.13 - Reflected Cross-Site Scripting